The first quarter of 2020 was marked by a tremendous surge in phishing attempts. According to Barracuda Sentinel, between March 1 and March 23, 2020 alone, there was a 667% increase in spear phishing email attacks. Preying on the fear and confusion surrounding COVID-19, cybercriminals launched tailored campaigns to collect credentials and other sensitive data to perpetrate fraud.
Even the most vigilant of employees have become distracted while navigating through the new normal. Clicking on links they would have previously ignored or flagged as malicious. Downloading malware payloads without second thought. Disclosing personal information once held closely to their chests.
The real problem though is that phishing is the tip of the iceberg. Filled with typos and odd links, trained eyes can spot these phishing lures and dodge attacks that perpetuate fraud. Standing tall above the water, companies and employees can identify and warn of the campaigns. But what lurks unseen under the surface is where the true damage happens. Plunge below the sea of cyberattacks and you’ll uncover the underbelly filled with bad bots.
Phishing Does One, Bots Do Many
When criminals deploy phishing campaigns, they are trying to gather login credentials and other sensitive information for specific use. Whether it is logging in to a personal banking account or an executive’s email account—the attacks follow a straight path. Obtain information, gain access. But what if criminals veer off path and compile the collected information and sell it on the Dark Web?
We are living in an era of sophisticated fraud where nothing is off limits and everything is changing. The problem is that people aren’t adapting to the times. They continue to reuse credentials across different accounts, both personal and professional. And these poor cyber hygiene habits only make it easier for bots.
Using an attack method called “credential stuffing,” bots automatically inject the breached username/password pairs in order to gain access and hijack accounts. The difference though, is that where phishing does one account, bots do many. Through automation, the credentials can be tested across the internet without requiring special skills or knowledge. With only a few hundred dollars to buy the tools and data, the low-risk, high-reward attach has become commonplace, while remaining largely undetected.
The Problem of Popular Security
When we think of popular, well-adopted security measures phishing protection ranks high on the list. Even small businesses are often aware of phishing and take steps to implement email security controls and educate employees. But when our humanness fails us and we click a link or fill in our credentials somewhere we shouldn’t have, we reach a deeper level of trouble.
In a perfect world our protections would be fool-proof, but security is anything but perfect. As cybersecurity professionals we manage to that imperfection. Layering in tools and processes to patch shortcomings. Unfortunately, when it comes to bots that blend in so seamlessly with human internet traffic, even knowledgeable security professionals aren’t able to peek below the surface and see the hidden dangers.
It’s for all these reasons that it’s not enough to cut off phishing attacks. Instead, we must understand how methods link together to form sophisticated attacks in order to protect from every angle, and at every level of the iceberg.
See for yourself how bad bots complete credential stuffing attacks in our latest video, Bot Attacks 101: Credential Stuffing.